Multiple bfadmin login failures

Hello,

In the BF server audit logs, we’re seeing bunch of bfadmin login failures, but it doesn’t show the source. Is there a way to find out which source system or BF component is causing these failures?

1|Tue, 13 Jul 2021 11:23:39 -0500|INFO|bfadmin|RESTAPI|AUTHZ|LOGIN|“ip of the ROOT server”|user “bfadmin”: Failed log in. (API Connection)
1|Tue, 13 Jul 2021 11:23:42 -0500|INFO|bfadmin|RESTAPI|AUTHZ|LOGIN|“ip of the ROOT server”|bfadmin: Too many log in attempts. (API Connection)

From the looks at the logs, it seems the bfadmin account is trying to do a restapi call from the BF root server and failing. We did recently rotated the password for bfadmin and now we’re trying to track down where this restapi call is configured on the BF root server and where it’s making the call to? probably to itself?

Some areas to check:
Server Automation Engine
CloudPlugins
Insights ETL
BFI ETL
WebUI settings

1 Like

Also check Fixlets & Tasks, search for REST or SOAP credentials; these can configure the credentials for Server Automation or the Server Plugin Service.

I prefer for each integration to use a separate credential, precisely to identify which plugin is making these calls.

2 Likes

I pushed out the REST API credential for BES Server Plugin Service fixlet with the new password but that didn’t fix it. Is there a way to check if the SOAP credential is configured before trying to push that SOAP fixlet?

Yes; I forget the Registry key that it’s in, but if you read the actionscript of the Fixlet it should be pretty clear. If there is a value stored in that key then an earlier SOAP password was applied.

1 Like

so I checked the registry and it’s blank for both SOAP username/password. However, I did notice when I try to login to the BF Web Report url using the master operator “bfadmin”, I’m getting an invalid username or password which is strange b/c I know i’m using the correct creds. Could that be causing the failed login for the RESTAPI? Any idea how to fix it?

Are you certain the Web Reports user is “bfadmin”? Web Reports has its own users, which are stored in the Web Reports database, especially the first user created for Web Reports on login.

The only things we have configured is the BFI and WebUI. In the BFI besides the Data Source which I have already updated, is there anywhere else I need to check? And I’m not sure where to check after logging in the WebUI.

I’m not sure, because the previous engineer who set this up is no longer works for the company.